Explainer: Multi-factor authentication

Multi-factor authentication is a method of multi-faceted access control which a user can pass by successfully presenting authentication factors from at least two of the three categories:

• knowledge factors (“things only the user knows”), such as passwords or passcodes;
• possession factors (“things only the user has”), such as ATM cards or hardware tokens; and
• inherence factors (“things only the user is”), such as biometrics

Knowledge factors are the most commonly used form of authentication. In this form, the user is required to prove knowledge of a secret in order to authenticate, such as a password.

A password is a secret word or string of characters that is used for user authentication. This is the most commonly used mechanism of authentication. Many multi-factor authentication techniques rely on password as one factor of authentication. Variations include both longer ones formed from multiple words (a passphrase) and the shorter, purely numeric, personal identification number (PIN) commonly used for ATM access. Traditionally, passwords are expected be memorized.

Many secret questions such as “Where were you born?”, are poor examples of a knowledge factor because they may be known to a wide group of people, or be able to be researched.

Possession factors include both connected and disconnected tokens. Connected tokens are devices that are physically connected to the computer to be used, and transmit data automatically. There are a number of different types, including card readers, wireless tags and USB tokens. Disconnected tokens have no connections to the client computer. They typically use a built-in screen to display the generated authentication data, which is manually typed in by the user.

Inherited factors are usually associated with the user, and typically include biometric methods, including fingerprint readers, retina scanners or voice recognition.

Requiring more than one independent factor increases the difficulty of providing false credentials. Two-factor authentication requires the use of two of three independent authentication factors, as identified above. The number and the independence of factors is important, since more independent factors imply higher probabilities that the bearer of the identity credential actually does hold that identity.

Multi-factor authentication is sometimes confused with “strong authentication”. However, “strong authentication” and “multi-factor authentication”, are fundamentally different processes. Soliciting multiple answers to challenge questions can typically be considered strong authentication, but, unless the process also retrieves “something the user has” or “something the user is”, it is not considered multi-factor authentication.